WebPart.AuthorizationFilter Property


The .NET API Reference documentation has a new home. Visit the .NET API Browser on docs.microsoft.com to see the new experience.

Gets or sets an arbitrary string to determine whether a WebPart control is authorized to be added to a page.

Namespace:   System.Web.UI.WebControls.WebParts
Assembly:  System.Web (in System.Web.dll)

public virtual string AuthorizationFilter { get; set; }

Property Value

Type: System.String

A string that authorizes a control to be added to a Web page. The default value is an empty string ("").

The Web Parts control set does not implement any default behavior for the AuthorizationFilter property. However, the property is provided so that you can assign an arbitrary string value to a custom WebPart control; this property can be checked by the WebPartManager control during its AuthorizeWebPart event to determine whether the control can be added to the page.

In some cases, the AuthorizationFilter property might be used with the ASP.NET role manager feature, so that if a user is in a certain role, and if the string value of the AuthorizationFilter property meets certain conditions set by the developer, then the control can be added. This approach allows developers to create custom views of a page based on a combination of roles and other authorization criteria that they specify.

This property cannot be set by themes or style sheet themes. For more information, see ThemeableAttribute and ASP.NET Themes and Skins.

The personalization scope of this property is set to Shared and can be modified only by authorized users. For more information, see PersonalizableAttribute and Web Parts Personalization Overview.

Notes to Inheritors:

To use this property, you must create a custom WebPartManager control, and override either its OnAuthorizeWebPart method or its IsAuthorized method to handle the check for the AuthorizationFilter property.

The following code example demonstrates the use of the AuthorizationFilter property. It shows how to set a custom method handler for the AuthorizeWebPart event, so that the handler can provide custom filtering code for the OnAuthorizeWebPart method. This example would be a typical way for a page developer to provide a filtering scenario and authorization of WebPart controls to be added to a page.

In the Web page code, notice that the <asp:webpartmanager> element has the OnAuthorizeWebPart attribute with the name of the event handler assigned to it. This method checks whether the controls on the page have their AuthorizationFilter property value set to admin, and if so, returns true, which means that they will be authorized and added to the page.


Note that controls that do not have any value assigned to the AuthorizationFilter property are added as well, because they are assumed not to be part of a filtering scenario. This would be a common approach in a filtering scenario: some controls would be filtered, and others would not be, because they are presumed to be available for all users.

<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<script runat="server">

  protected void mgr1_AuthorizeWebPart(object sender, 
    WebPartAuthorizationEventArgs e)
    if (!String.IsNullOrEmpty(e.AuthorizationFilter))
      if (e.AuthorizationFilter == "user")
        e.IsAuthorized = true;
        e.IsAuthorized = false;


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
    <form id="form1" runat="server">
      <asp:WebPartManager ID="mgr1" runat="server"
        OnAuthorizeWebPart="mgr1_AuthorizeWebPart" />
      <asp:WebPartZone ID="WebPartZone1" runat="server">
            Title="Favorite Links"
            <asp:ListItem Value="http://msdn.microsoft.com">
            <asp:ListItem Value="http://www.asp.net">
            <asp:ListItem Value="http://www.msn.com">
          <asp:Label ID="Label1" runat="server" 
            Text="Hello World"
            Title="Filter Test"
            AuthorizationFilter="admin" />
          <asp:Calendar ID="Calendar1" runat="server" 
            Title="My Calendar"/>

Because setting up users in roles is beyond the scope of this topic, this code example does not check user roles in the filtering. However, the scenario of filtering controls according to user roles is likely to be one of the most common uses of this filtering feature. If you have roles on your site, and you want to check user roles in this method to filter controls, the method would resemble the following code block (versus the simpler approach in the preceding code example that does not use roles).

protected void mgr1_AuthorizeWebPart(object sender, 
  WebPartAuthorizationEventArgs e)
  if (!String.IsNullOrEmpty(e.AuthorizationFilter))
    if(Roles.IsUserInRole(Page.User.Identity.Name, e.authorizationFilter))
      e.IsAuthorized = true;
      e.IsAuthorized = false;

.NET Framework
Available since 2.0
Return to top